Watch out for security cameras, warn experts. Research found holes in security

Experts on internet security had some suspicions, so they put them to the test. They thought that security cameras might be actually inviting hackers into networks of companies they tried to protect. But how many attackers would actually employ these when searching for a way in?

They did a practical test. Five routers, DVR systems and IP cameras were set up and connected to the internet. Every device was fully patched and ran on default settings.

How did they fare in the test?

They were almost immediately probed by hackers’ automated scans. First camera failed in this stage, just minutes into the test.

Several hours later, hackers have already tried to gain access through ports of all five cameras. Some probes were looking for the most obvious holes in security, others were more sophisticated about their approach and went after ports usually used for DVR systems.

Twenty-four hours later, two devices were completely under the control of hackers. They allowed them access to internal network, upload malicious code and access internal data.

One camera folded under the attackers’ probing and died completely.

Cloudview, the company behind this test, is definitely not an impartial judge, as it sells (what it claims to be the only secure) cloud security services. However, their findings are still relevant and important for the global IT community.

More and more surveillance. World market with security cameras is growing quickly

The exact numbers of security cameras in different countries in the world are impossible to figure out (few years ago, experts estimated them to be at around 25 million). It's however absolutely certain that there are more and more of these devices around. The world market with security cameras tripled over the last seven years.

They have pointed out a real problem that goes unnoticed in many otherwise secure-conscious companies. A system purchased for the sole purpose of security and protection can be paradoxically subverted by hackers and used to make their approach easier. And there actually are many of such attackers on the net, mostly using automated tools scan vulnerable targets accessible from the internet. While it may seem counterintuitive, many security devices are – mainly because of poor practices – really accessible from the wider internet.

It’s yet another vector of attack that hackers can use to gain entry into computers of individuals and companies. The blame rests squarely on devices that flaunt security in their name.

Security devices bleed through port forwarding

According to experts, these systems have several significant security holes that shortlist them for use by hackers. They found these holes unplugged in DVR systems as well as in IP cameras.

The weak spots were in the way these devices communicate over the network, say experts. Mainly in port forwarding and usage of dynamic DNS, but also in insufficiently updated firmware (sometimes provided with backdoors preinstalled by the manufacturer) or just poor code overall.

The researchers were looking for vulnerabilities in more than fifteen DVR devices and found at least some in every last one of them. Some of these were fairly trivial, others very grave – unmitigated access into memory, vulnerability against SQL injection attack or default admin credentials. The experts claim that DVR systems have the same performance characteristics as a small web server. The level of security, though, is worse by degrees.

„Most of the devices tested were compromised in less than an hour.“

The research done by Cloudview is not the only one pointing out these vulnerabilities. The abysmal security of surveillance devices was previously probed also by people from the UK security company Pen Test Partners.

What next? Cut the cameras’ network access

What can be done about this?

There are no easy solutions. Generally, many threats might be prevented if the companies in question consider security cameras as just another sensitive computer system and treat them accordingly. They should be entrusted to IT departments who will regularly run tests on them and think their security through before, and not after, the first hacking incident.

Surveillance systems should ideally not be accessible from the outside network, they should form a closed circuit, as the CCTV acronym suggests. If an outside access is absolutely necessary, the IT department must take care to secure it thoroughly. These are live devices that need regular patching, updating, monitoring and penetration testing by IT folks. That’s the only way companies can be sure their surveillance systems work for them, not against them.